Conventional wireless network access points (APs), routers, bridges, or similar access devices, provide one or more clients with access to wireless networks (e.g., WiFi networks) configured according to various standards or protocols (e.g., 802.11a, 802.11g, etc.). A network access point may provide a computing device with access to other nodes on the network, such as computing and peripheral devices that are connected to a home network. A network access point may further provide the communication device with access to the Internet, such as through a service provider associated with the network access point.
A network access point may be configured for open access or shared key access. For open access networks, a communication device may freely gain access to the network through the network access point by discovering or knowing the name or service set identifier (SSID) of the network. In an open access network, the communication device may associate with the network access point and access the network directly without entering a password. For a network access point configured for open access, any client within wireless range may gain access to the network by sending a connect request to the network access point, for example using the SSID for the network access point or network. The network access point will generally allow association with the network in an open access operational mode.
In a shared key network, a communication device may gain access to the network through the network access point only after successfully submitting the shared key or password. If the network access point confirms that the submitted key or password is correct, the communication device is granted access to the network. For access points configured for shared key access, the wireless communication link between the network access point and the communication device may be encrypted with a password or encryption key, which the client may enter when initially connecting to the network access point and network or at a later time using a stored version of the key. In a shared key access configuration mode, packets or frames that are sent between the network access point and the communication device may be encrypted and decrypted using the shared key. Thus, in order for the network access point to process the packets or frames received from the communication device, the communication device must have used the correct encryption key.
When a new network access point device is installed, it may be configured for shared key access by setting a password, which is generally a single password representing the shared key. The person assigning the password may act as the “administrator” of the network access point and thus the network. Because only a single key is used for access, any device that attempts to gain access to the network through the network access point using the single key may be granted access. Because the password is not associated with any particular accessing device, the number of devices that could potentially access the network is limited only by the ability to control the distribution of the shared key or password. Thus, anyone knowing the password can gain access to the network by correctly entering the password during an access procedure between the device and the network access point, regardless of the communication device they are using.
Security vulnerabilities may arise, however, when distributing passwords to guests who require network access. Presently, one of the only options for providing guest access is to provide guests with the network password. Since, by design, there is no association between the password and any particular device, the guest may give the password to others who may then access the network with their devices. Thus, when the password is distributed to even one person other than the administrator, there is a risk of unintentional disclosures of the password. When the password becomes widely distributed, access control and network security may become compromised.
To address this security risk, system administrators may periodically change the password. However, the new password must be re-distributed to legitimate or desired guests and the cycle of unintentional distribution of the password and potential compromising of security may be repeated. Other options to avoid divulging the main access point password may involve setting up a guest account or accounts with a guest password. Such a process can be costly, complex, unreliable and time consuming, as the configuration of the network access point hardware to support additional service set identifiers (SSIDs) or the use of additional network access points may be necessary. Even if a separate guest access is established, the same problem arises with regard to the guest accounts, because the guest password may be given out to others who may then gain access to the network.